Training classes offered during SyScan'09 Taipei:

TW09-01 - Writing Windows Shellcode

Immunity proposes teaching its 1-day "Writing Windows Shellcode" class. This class will not require the use of any commercial (pay for) software tools, making it easy to deliver to students of all backgrounds.

A one day class that introduce the student in the black art of shellcode writing. Lsugh all the simple to state-of-the-art shellcode in Windows taught mostly hands on, lab-oriented fashion.

 • Introduction to i386 assembler for shellcode writers.
 • Immunity Debugger Basics
 • MOSDEF Usage
 • Shellcode theory
 • Basic Shellcodes
    - Connect Back
    - Port Binding
    - Command execution
    - HTTP Download and Execute

 • Encoders:
    - Basics
    - Writing your own

 • Advance Shellcodes
    - Inject into Process
    - Fork and Load
    - Tricks from the field

Instructor:

Dave Aitel
The Founder and CTO of Immunity, Dave Aitel, was a consultant with @stake and a research scientist with the National Security Agency. Dave's background lies in Linux and Unix systems. His focus changed to Windows exploitation after founding Immunity, and in more recent years has expanded to include web applications and engine development for CANVAS such as MOSDEF, the engine's C compiler. Dave continues to write CANVAS exploits and conduct security research while leading the technical team and product and service direction at Immunity. He oversees all technical projects at Immunity.

TW09-02 - Java / JEE Security

JEE is known as a framework to build java business applications. Vulnerabilities in these applications are on the one hand introduced by the software, and on the other and more likely created by the application developers. For a complete JEE security audit it is therefore more important to build up the skill to "feel" the attack surface than just applying pre-build exploits that only expose framework bugs.

This class starts with describing the important parameters that define the attack surface, such as dangerous code patterns, configuration settings and reasonable secure defaults. Examples of real-life vulnerabilities are used introduce the participatents to the experience that simple bugs are able to create holes, we cover both perspectives, the bug and the fix. The curriculum goes on with presenting and train the use of the tool set, necessary to spot vulnerable code parts. We presented techniques such as code skim reading, binary scanning, reverse engineering and interpreting the hidden security message of harmless looking heap, thread and stack dumps.

The trainer has been involved with the deeper details of java security for about seven years and showed the success of the presented method by finding a large range of CVE relevant vulnerabilities. This class does not require prior knowledge of the java bytecode set but a deeper understanding how JVMs work mixed with creativity is very helpful to transfer the presented techniques into personal success.

The examples and exercises shown in this class cover apache tomcat, apache geronimo and sun glassfish.

The topics presented are:
 • The Java architecture, JVMs and bytecode
 • The java security model
 • Secure programming in a nutshell
 • Java vulnerabilities, how they differ from C-type bugs
 • The JEE architecture
 • Open holes in JEE, how to spot them
 • How to harden a JEE server
 • Tools and toys to prepare and conduct JEE pentests
 • Writing self-assessment clients
 • Short excursion to web security, xss and xsrf, how to spot and prevent
 • in JEE Examples, examples, ...

Instructor:

Marc Schönefeld
Marc Schönefeld has been involved with the deeper details of java security for about seven years and showed the success of the presented method by finding a large range of CVE relevant vulnerabilities.

After having worked in the banking IT for 10 years he moved to a large operating system vendor to identify and prevent vulnerable parts in open source java distributions. He has spoken on major conferences such as Blackhat, RSA, XCon, HackInTheBox and PacSec.

2002: Blackhat Security Aspects Bytecode Engineering
2003: Java Vulnerabilities, joint paper with iDefense
2003: Java Vulnerabilities (shown at RSA Europe)
2004: D-A-CH Security: Java Side-Channel attacks
2004: DIMVA: Java Vulnerabilities
2004: Second place in RSA European Security Award
2005: RSA USA, Java Security Antipatterns (=> Bellua, Xcon, HITB)
2006: DIMVA: Practical Impact of Java Security Antipatterns (=> Blackhat, Xcon, HITB, WebSec)
2006: PacSec: Security Aspects of .NET WCF
2007: PacSec: Intellectual Property Protection in Java and JEE

TW09-03 - Building a Secure Wireless Network

Wireless LANs are now widely deployed and have often introduced an explosion of security issues and unique vulnerabilities. Despite nowadays state of the art in terms of wireless security, it still appears a lot of available Wi-Fi networks not being properly secured. Destined to both network administrators and auditors, this training will bring them up to date with state of the art Wi-Fi security technologies, providing detailed background and practical hands-on exercises. At the end of this course, they will be able to integrate secure wireless environments in their existing infrastructure, assess and maintain their security level.

Pre-requisite:

 • Ethernet and TCP/IP knowledge, and experience
 • 802.11 experience is a plus

This training features practical exercices that need specific prerequisites. In order to get the most out of them, students will need a laptop running Backtrack v2 Stable Release live CDROM[1] properly[2] with an injection capable wireless adapter[3] (Atheros based adapter strongly advised).

 • [1] http://www.remote-exploit.org/backtrack.html
 • [2]http://backtrack.offensive-security.com/index.php?title=HCL:Laptops
 • [3]http://backtrack.offensive-security.com/index.php?title=HCL:Wireless

Class Outline:

 • Quick Wi-Fi basics wrap-up
 • Wi-Fi networks security assessment
 • Wi-Fi security consideration through examples
 • Wi-Fi networks enumeration technics and tools
 • Wi-Fi weaknesses
 • Intrinsic weaknesses
 • Bypassing basic security features
 • WEP flaws and cracking technics
 • Applied malicious traffic injection
 • Wi-Fi stations exposure
 • Wireless networks assessment methodology
 • From discovery to security evaluation
 • Building secure Wi-Fi networks
 • Wi-Fi security features
 • 802.1x authentication
 • Wi-Fi Protected Access
 • IEEE 802.11i/WPA2
 • Wi-Fi Protected Setup
 • Integrating Wi-Fi within existing infrastructures
 • Possible interactions
 • Use cases study
 • Roadmap and key points

Instructor:

Cédric Blancher
Cédric has been working for 7 years in network security field, performing audits and penetration tests. In 2004, he joined EADS Innovation Works and now runs the Computer Security Research Lab in Suresnes, France. His research focuses on network security, wireless links and protocols security, Wi-Fi in particular. He is an active member of Rstack team and French Honeynet Project with studies on honeynet containment, honeypot farms and network traffic analysis. He had delivered technical resentations and trainings worldwide, written papers and articles on network security and wrote Wi-Fi traffic injection tool Wifitap. Cédric's website: http://sid.rstack.org/